Problem with Audit

[aimdev]

Problem with audit

22.1.3 o firmware: improve the connectivity audit

I am on 22.1.4 and I am getting this, despite the fact I can ping from the LAN, and when logged into opnsense the address mirrors.dotsrc.org  and 130.225.254.116.

root@opnsense:~ # ping 130.225.254.116
PING 130.225.254.116 (130.225.254.116): 56 data bytes
64 bytes from 130.225.254.116: icmp_seq=0 ttl=52 time=47.218 ms

root@opnsense:~ # ping mirrors.dotsrc.org
PING mirrors.dotsrc.org (130.225.254.116): 56 data bytes
64 bytes from 130.225.254.116: icmp_seq=0 ttl=52 time=46.910 ms

Also I can access
Welcome to mirrors.dotsrc.org
In addition despite turning all ipv6 off (AFAIK) I see this

Checking connectivity for host: mirrors.dotsrc.org -> 2001:878:346::116

This issue appears to screw up the pligin list, for example all the installed plugins are orphaned, and
there are no uninstalled plugins in the list

Please can someone else check ( I have checked all rules from ICMP, nothing obvious)

Thanks

***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 22.1.4_1 (amd64/OpenSSL) at Tue Apr  5 10:23:07 BST 2022
Checking connectivity for host: mirrors.dotsrc.org -> 130.225.254.116
PING 130.225.254.116 (130.225.254.116): 1500 data bytes

--- 130.225.254.116 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv4): https://mirrors.dotsrc.org/opnsense/FreeBSD:13:amd64/22.1
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.txz: .......... done
Processing entries: .......... done
OPNsense repository update completed. 783 packages processed.
Updating SunnyValley repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.txz: .. done
Processing entries: .... done
SunnyValley repository update completed. 32 packages processed.
All repositories are up to date.
Checking connectivity for host: mirrors.dotsrc.org -> 2001:878:346::116
ping6: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://mirrors.dotsrc.org/opnsense/FreeBSD:13:amd64/22.1
Updating OPNsense repository catalogue...
pkg: https://mirrors.dotsrc.org/opnsense/FreeBSD:13:amd64/22.1/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://mirrors.dotsrc.org/opnsense/FreeBSD:13:amd64/22.1/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Updating SunnyValley repository catalogue...
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.1/OpenSSL/latest/meta.txz: Non-recoverable resolver failure
repository SunnyValley has no meta file, using default settings
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.1/OpenSSL/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository SunnyValley
Error updating repositories!
***DONE***

[aimdev]

I have installed 22.1.5, but the audit issu is still apparent. A confirmation of the issue would be useful

Tks

Aimee

[franco]

Not sure what you mean... the audit tries to verify that IPv6 works or not and it says it doesn't. If you don't prefer IPv4 in general settings the updates can break. That's all there is to it.


Cheers,
Franco

[aimdev]

Not sure what you mean... the audit tries to verify that IPv6 works or not and it says it doesn't. If you don't prefer IPv4 in general settings the updates can break. That's all there is to it.


Cheers,
Franco

I assume you mean this setting
Prefer IPv4 over IPv6
which has been set since before and including 22.1.
I have done audits in the past, and there has been no issues.
I fail to understand why a normal cli ping works, but the ping within the audit page does not.

[cookiemonster]

Because ping and ping6 are not the same.

Checking connectivity for host: mirrors.dotsrc.org -> 2001:878:346::116
ping6: UDP connect: No route to host

As to where you have that set if you already have to prefer ipv4 over ipbv6, I don't know. That seems to be the better question.

[Patrick M. Hausen]

The audit reads:

Checking connectivity for repository (IPv4):
[...]
All repositories are up to date.

And then in a second step:

Checking connectivity for repository (IPv6):
[...]
Error updating repositories!

Which boils down to:

• everything is cool with IPv4
• repositories don't work with IPv6

A pretty fitting report of your situation if you don't have IPv6 connectivity. So what's your point?

[aimdev]

Because ping and ping6 are not the same.

Checking connectivity for host: mirrors.dotsrc.org -> 2001:878:346::116
ping6: UDP connect: No route to host

As to where you have that set if you already have to prefer ipv4 over ipbv6, I don't know. That seems to be the better question.

System: Settings: General Networking Prefer IPv4 over IPv6  Prefer to use IPv4 even if IPv6 is available
The setting is set (tick in the box)

[aimdev]

The audit reads:

Checking connectivity for repository (IPv4):
[...]
All repositories are up to date.

And then in a second step:

Checking connectivity for repository (IPv6):
[...]
Error updating repositories!

Which boils down to:

• everything is cool with IPv4
• repositories don't work with IPv6

A pretty fitting report of your situation if you don't have IPv6 connectivity. So what's your point?

This
Checking connectivity for host: mirrors.dotsrc.org -> 130.225.254.116
PING 130.225.254.116 (130.225.254.116): 1500 data bytes

--- 130.225.254.116 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss

PING does not state which type of ping, 4 or 6
Also the prefer ipv4 over ipv6 is set, so why if ping4 is successful is there any need to try ping6

[Patrick M. Hausen]

That is an IPv4 ping.

[aimdev]

That is an IPv4 ping.

Thank you for the clarification.
Why then does a ping4 fail in the audit program but succeeds when run on the cli, as I stated earlier?

[franco]

The audit was changed in 22.1.3 to test IPv4 and IPv6 under harder conditions:

> 1500 data bytes

So that means fragmentation doesn't work for reasons. Sometimes these are hard to catch but you can see that the actual update of the repository went fine anyway.

All in all, it's just a debug tool, not a checklist to pass with flying colours.


Cheers,
Franco

[cookiemonster]

Out of interest, with this setting

System: Settings: General Networking Prefer IPv4 over IPv6  Prefer to use IPv4 even if IPv6 is available
The setting is set (tick in the box)

Does:
Interfaces > WAN > Generic configuration>  "IPv6 Configuration Type" = [something]
overrides the above? I don't use ipv6, my setting is "None". I am curious what the expected behaviour is.

[franco]

The setting alters system DNS resolution in a way to ensure that IPv4 addresses are used as opposed to defaulting to IPv6 if both are available.


Cheers,
Franco

[cookiemonster]

Understood, thank you.

[aimdev]

The audit was changed in 22.1.3 to test IPv4 and IPv6 under harder conditions:

> 1500 data bytes

So that means fragmentation doesn't work for reasons. Sometimes these are hard to catch but you can see that the actual update of the repository went fine anyway.

All in all, it's just a debug tool, not a checklist to pass with flying colours.


Cheers,
Franco

Might I suggest for HMI reasons, the tag Audit is changed to Debug, or even better a separate Debug page?
Then the Audit page can be used as, well an Audit page, without the ping testing.